[csf.tools Note: Subcategories do not have detailed descriptions.] Jump to related in: NIST Special Publication 800-53 Revision 5CM-3: Configuration Change ControlDetermine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; Document configuration change decisions associated with the system; Implement approved configuration-controlled changes to the system; Retain records of configuration-controlled changes… CM-4: Impact AnalysesAnalyze changes to the system to determine potential security and privacy impacts prior to change implementation. SA-10: Developer Configuration ManagementRequire the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [Assignment (one or more): design, development, implementation, operation, disposal]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system, component, or service;… NIST Special Publication 800-171 Revision 23.4.3: Track, review, approve or disapprove, and log changes to organizational systemsTracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration… 3.4.4: Analyze the security impact of changes prior to implementationOrganizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to… 3.4.5: Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systemsAny changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical… Cloud Controls Matrix v3.0.1CCC-01: New Development / AcquisitionPolicies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function. CCC-02: Outsourced DevelopmentExternal business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes). CCC-03: Quality TestingOrganizations shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services. CCC-04: Unauthorized Software InstallationsPolicies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. CCC-05: Production ChangesPolicies and procedures shall be established for managing the risks associated with applying changes to: Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations. Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or… IVS-02: Change DetectionThe provider shall ensure the integrity of all virtual machine images at all times. Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image’s… NIST Special Publication 800-53 Revision 4CM-3: Configuration Change ControlThe organization: Determines the types of changes to the information system that are configuration-controlled; Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; Documents configuration change decisions associated with the information system; Implements approved configuration-controlled changes to the information system; Retains records of… CM-4: Security Impact AnalysisThe organization analyzes changes to the information system to determine potential security impacts prior to change implementation. SA-10: Developer Configuration ManagementThe organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system,… What is the correct order of steps in the change control process?The five steps of a change control process. Change request initiation. In the initiation phase of the change control process, a change is requested. ... . Change request assessment. ... . Change request analysis. ... . Change request implementation. ... . Change request closure.. Which of the following refers to the management of baseline settings for a system device?(T/F) The process of managing the baseline settings of a system device is the definition of configuration control.
Who has the authority to approve a system for implementation?In an accreditation process, who has the authority to approve a system for implementation? The authorizing official (AO) is a senior manager who reviews the certification report and makes the decision to approve a system for implementation.
|